from the choice-of-words... dept

The Director of National Intelligence has now responded to the unveiling of the fact that the NSA inserted backdoors in various forms of encryption and recruited internal spies at telco companies with one of his typically ridiculous statements using carefully parsed words. It sounds like the NSA rushed out that statement, because the attempt to assure the public that it's just being used on bad people leaves open a pretty large loophole. See if you can spot it:

Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.

Highlighting added by me. Here's a tip: when trying to reassure the public that you're not abusing your powers, and that you're breaking basic encryption used widely across the internet for their own good by narrowly targeting whom it's used against, maybe (just maybe) don't include a hedge word that includes every human being on earth.

As Ken White noted, we are all "others" here. We've already noted that previous leaks, concerning "minimization" have shown that the NSA people believe that if your data is encrypted then they can keep it, because you might be evil, and that comes through here as well. They keep trying to focus on how this is just about stopping terrorists, but it always leaves that massive loophole for "others."

So, once again, the NSA's attempt to insist that what it's doing is narrow and targeted and just after "the bad guys," yet again only breeds further reasons to trust the NSA even less. As White notes, this whole situation is particularly disturbing because so much can be classified under "others" that should be seen as reasonable and normal activity of a person who questions whether the government is really acting as a representative of the people.

I am the other because I do not trust my government in general, or the people working for its security apparatus in particular.

I am the other because I believe the Security State and its representatives habitually lie, both directly and by misleading language, about the scope of their spying on us. I believe they feel entitled to do so.

I am the other because I don't believe the Security State and its representatives when they say that government spying is reserved for foreign terrorists. In fact, the NSA's "minimization" techniques — touted as methods for restricting spying to foreign terrorists instead of U.S. citizens — are often transparently and insultingly ridiculous.

I am the other because I don't believe my government when it tries to convince us that enhanced spying techniques are used to protect us from terrorists. I believe, instead, that the increased powers acquired by my government since 9/11 have been habitually brought to bear for domestic purposes, including such things as the ruinous and amoral War on Drugs.

Ken goes on from there and it's well worth reading the entire statement. The NSA sees the American public as the adversary and believes it can track pretty much anyone as an "other." And for those who believe you "have nothing to fear because you've done nothing wrong," it's time to recognize that you too, are the "other."

from the let's-get-real dept

One of the key points that defenders of the NSA surveillance efforts keep making is that if Ed Snowden was so upset by what was happening he had "other avenues" to make his concerns known. Jennifer Hoelzer, whom you may recall from the post she wrote here about President Obama's supposed desire for an open debate concerning NSA surveillance, has penned an excellent piece for Slate, once again debunking the President. This time, it's about those supposed "other avenues" he had. As she notes, the problem is that anyone he took these concerns to would brush him off by claiming "it's legal." But the real concern the public has is the very fact that the NSA and so many of its defenders think this is legal.

If Edward Snowden had concerns that one of his co-workers was abusing the NSA’s surveillance authority to—for example—collect data on a former girlfriend or blackmail a member of Congress, he could have reported his concerns to a supervisor, and it’s highly likely that person would have done something about it.

But, contrary to what the president seems to think, Edward Snowden wasn’t concerned that the NSA was “improperly” collecting information on hundreds of millions of Americans. He was concerned that the government was collecting information on hundreds of millions of Americans. And how exactly does the president think Snowden should have raised that concern?

This is a key distinction that very few defenders of the NSA (and who are attacking Snowden) seem to grasp. The fact that the public -- and many in Congress -- have since spoken out in outrage over the program certainly suggests this is a key point. Every time NSA defenders argue "well, it's legal" they miss out on the fact that a very large number of people don't care because they don't think it should be legal at all. That's the debate we're trying to have -- and it's the one President Obama, Dianne Feinstein, Mike Rogers, Keith Alexander and James Clapper still can't even recognize is the key question.

Either way, as Hoelzer notes, Snowden really had nowhere to "complain" to about this actual issue:

Snowden’s former employer, Booz Allen, which requires employees to report “all suspected violations of the law” and cautions them to “take care to not report a violation to someone that [they] believe is involved in the matter.”

Well, nearly everyone Edward Snowden worked for—up to and including the president of the United States—was involved in the matter. So, again, whom exactly should he have gone to with his concerns?

Okay, well, what about Congress? Multiple people have suggested he could go talk to members of Congress. But, not so fast. Hoelzer takes a look at the Director of National Intelligence James Clapper's website where it has a page on How to File A Whistleblower Complaint, explaining the "process" for contacting Congress (if you aren't comfortable raising the concern within the intelligence community, which, clearly, Snowden was not). But, again, not so easy:

But then I noticed a problem. Before bringing an “urgent concern” to Congress, the guidance states that all potential intelligence community whistle-blowers must first notify the DNI of their “intent to contact the congressional intelligence committees directly.” In other words, if Snowden wanted to inform the Senate intelligence committee that the DNI had lied, he would first have to inform the DNI that he intended to inform on him. That seems like it could be a problem.

But, let’s say it wasn’t. Let’s say the director of national intelligence did the honorable thing and allowed Snowden to go to the Senate intelligence committee with evidence that he lied. Would Snowden have had any reason to believe going to Congress would make the least bit of difference?

Probably not, since the House and Senate intelligence committees were already aware of the NSA’s activities. And, having worked for Wyden, a committee member who spent years trying to raise concerns about domestic surveillance, I can tell you, individual members of Congress were virtually hamstrung from doing anything about the administration’s activities. Especially since the executive branch’s classification rules forbid the senator from sharing his concerns with anyone outside of the intelligence committee, including staff.

So, really, what "official channels" could Snowden have possibly used? As Hoelzer notes, the only way to really blow the whistle on this was to go "over the head" of the federal government and the President -- and that's to go to the American public.

I understand Obama’s frustration. No one likes it when someone goes over his head. It’s humiliating. But when the guy in charge appears to be a significant part of the problem, sometimes the only way to resolve the problem is to let his boss know what’s going on. And when the guy in charge is the president of the United States, that means letting the American people know what he’s been up to.

On that front, it appears that Snowden did exactly the right thing in how he blew the whistle.

from the throw-him-out dept

We've already covered how Director of National Intelligence James Clapper not only lied to Congress, but has now admitted he lied by claiming he told the "least untruthful answer" he could think of, which was extremely untruthful, in that it was untruthful. He was asked whether or not the NSA collects any type of data on millions of Americans and he said no. The full collection of records on every phone call for the past seven years (at least) proves that statement was categorically false. Derek Khanna has an excellent and detailed opinion piece up on how this clearly constitutes an impeachable offense in the form of lying to Congress.

The whole thing is worth reading, but after going through the background leading up to the question and answer, followed by an explanation that Wyden clearly wasn't fishing, but was asking from direct knowledge of what the NSA was doing, Khanna gets to the point of why this is so horrific for a functioning democracy:

Clapper's statement appears to have misled the relevant Congressional Committee, and more importantly, misled Members of Congress who don't receive the information that the Intelligence Committee receives. Ultimately these statements misled the general public. This obfuscation of the truth inhibited the Intelligence Committee from performing proper oversight, which is the primary role of the Intelligence Committee. There is little point in having an oversight committee for intelligence if members of the intelligence community can simply lie when asked questions before a hearing.

Misspeaking at a hearing may be a mistake. Misspeaking before the Intelligence Committee is an extremely grievous mistake. But even more egregious here is the Clapper had ample time to correct the record and apparently failed to do so. Statements made at hearings are not coffee shop like discussions; rather, they are carefully prepared in advance. If Clapper did not have a prepared answer for this question, it's extremely likely that the NSA counsel would have reviewed his statement after the hearing - putting him on notice that if his statement was incorrect he had the obligation to correct it. In fact, if the NSA's counsel knew that Clapper was lying or misspeaking, he may have had a legal obligation to tell Clapper to inform the Committee of his misstatement. And, under a similar procedure for lying at court, if Clapper refused to correct the record then the Counsel may have had an obligation to tell the Committee anyway. This gives some perspective on the legal severity of lying to a congressional committee.

In other words, if Clapper is allowed to lie, expect plenty of other administration officials to lie as well, and say goodbye to any oversight authority that Congress may have once had.

Furthermore, as Khanna points out, President Obama's claims that Congress was "fully informed" about these programs ring hollow when put into context:

President Obama has claimed that Congress was aware of all ongoing programs of this nature. The Administration can't have it both ways. It can't claim that Congress was in the loop and signed off when the Director of National Intelligence appears to have at best misled and at worst lied to the relevant oversight branch.

We've gone through this before. The intelligence community's rogue nature was supposed to have been reined in 40 years or so ago, but in the last decade it appears to have gone right back to the way it used to be. If there is no real oversight, is it really any surprise that they start increasingly looking to expand and abuse the tools they have at their disposal. It seems, at the very least, that Congress should be exploring, deeply, whether or not the administration, and James Clapper in particular, directly lied to Congress, and then continued to lie after that initial lie.

from the do-tell dept

As the NSA and the administration continue to seek to spin the fallout from the leaks that revealed some of the overreaching surveillance efforts of the NSA, what's incredible is how self-contradictory the statements are, even when coming from the same source. The go-to defender of the program has been Director of National Intelligence James Clapper, who has tried arguing both that the leaks and these programs are no big deal and that they present a grave danger to intelligence operations. It's incredible.

First, there's playing it down as no big deal:

In a statement issued Saturday, Director of National Intelligence James R. Clapper Jr. described PRISM as “an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision.”

“PRISM is not an undisclosed collection or data mining program,” the statement said.

Hmm. So if it's no big deal, and all they're doing is facilitating statutorily authorized collection of data, why all the secrecy? Why not be transparent about all of that? And, also, if it's just keeping track of all the legally obtained stuff, why then would he also say the following:

“For me, it is literally – not figuratively – literally gut-wrenching to see this happen because of the huge, grave damage it does to our intelligence capabilities,” Clapper told NBC News’s Andrea Mitchell.

And later, he claimed that the leaker (this was before Snowden revealed himself) had "chosen to violate a sacred trust for this country" and that the leaks "affects the safety and security of this country."

I can't see any way to put together the earlier statements with the later statements that makes any sense at all. If all they were doing is analyzing statutorily authorized data, then there shouldn't be any concern. We'd expect the NSA to have a computer system to do exactly that, right? So... um... why is it damaging to the nation and putting us all at risk? It seems more likely that the truth is that what was revealed wasn't just a simple system for collecting data, as we can see, but rather just how much information the NSA is gathering up into its huge databases. Furthermore, the idea that this puts us in danger is, frankly, insulting. Most folks involved in terrorist activity already assume their phone calls are being tracked, so it's not like this is going to change their tactics.

from the whoops dept

And... yet another leak of NSA surveillance capabilities to The Guardian's Glenn Greenwald (who damn well better get a Pulitzer Prize for this) suggests pretty strongly that the NSA has directly lied, multiple times, when asked to disclose how many people it had spied on in the US. As we've noted for a while, the NSA has claimed that it was not possible to determine how many Americans it had data on. In a letter to Senator Ron Wyden, Director of National Intelligence James Clapper had stated:

While it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed...

An NSA spokesperson also said that it was not possible to figure that out:

Judith Emmel, an NSA spokeswoman, told the Guardian in a response to the latest disclosures: "NSA has consistently reported – including to Congress – that we do not have the ability to determine with certainty the identity or location of all communicants within a given communication. That remains the case."

But, as Greenwald reveals, the NSA appears to have a program, called Boundless Informant (quite a name, huh) that does exactly that.

The leaks are coming fast and furious at this point, and I doubt they're going to stop soon.

from the so-why-are-we-rushing? dept

We've been pointing out for years that all the talk about "cyberattacks" and "cybersecurity" appear to be FUD, mostly designed to scare up money for "defense" contractors looking for a new digital angle. And yet, we keep seeing fear-mongering report after fear mongering report insisting that we're facing imminent threats of such a dire nature that multiple people keep referring to this ridiculous concept of the "cyber Pearl Harbor" which is going to happen any day now if we don't pass vaguely worded bills that will surely ramp up huge contracts. And yet, every time we'd hear these cinematic scare stories, we'd point out that no one has yet died from a "cyber attack" and ask: where was the actual evidence of real harm? Yes, we've seen hack attacks that are disruptive or really about espionage. But that "big threat" coming down to get us all? There's been nothing to support it.

“We judge that there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage,” Clapper said in his statement to the committee. “The level of technical expertise and operational sophistication required for such an attack — including the ability to create physical damage or overcome mitigation factors like manual overrides — will be out of reach for most actors during this time frame. Advanced cyber actors — such as Russia and China — are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.”

He later admitted that some others -- who weren't as knowledgeable -- might be able to sneak in some attacks here or there, but that the impact would likely be minimal:

“These less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years, although their ability to leverage that access to cause high-impact, systemic disruptions will probably be limited. At the same time, there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and mistakes, or that vulnerability at one node might spill over and contaminate other parts of a networked system,” he said.

Of course, at the very same hearing, the NSA's General Keith Alexander kept up the propaganda about threats. Alexander has been among those who have been spreading FUD about the "threats" -- including ridiculous claims about Anonymous shutting down the power grid -- so sticking to that line is hardly much of a surprise. This time around he focused on an increasing rate of attacks on Wall Street banks.

He also pulled out the old "the Chinese are stealing our business secrets!" claim. That always sounds good for Congress, but it is unclear how much real impact it has had.

But the Cyber Command chief stressed that the U.S. needs to clamp down on this intellectual property theft, warning it will ultimately "hurt our nation significantly."

"For the nation as a whole, this is our future. This intellectual property, from an economic perspective, represents future wealth and we're losing that," Alexander said.

It doesn't appear he has any real basis for saying that. There are all sorts of ways to compete and to innovate, and falling back on relying intellectual property laws may be the least useful and least efficient manner for doing so.

It would be nice if we could stop all the blatant fear mongering and focus on any actual problems, such as highlighting what important information isn't being shared today, since we keep getting told that it's our lack of information sharing that will lead to a cyber pearl harbor. Now that we know the threat isn't imminent, can we sit back and look at the actual evidence, understand what the real problem is, and see if there's a way to solve it that doesn't involve giving up everyone's privacy rights?